1

When attempting to deploy an Azure Container App using Terraform, I encounter the error message:

Cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service. Please see https://github.com/microsoft/azure-container-apps/issues/395 for more details.

Despite not attempting to directly modify any secrets, I'm unable to proceed with the deployment. The closed issue they are mentioning here seems to be related to the problem. But didn't help much. This is something that suddenly started happening without any changes to the code as well.

I'm using the terraform version - 3.101.0

resource "azurerm_container_app" "container_app" {
  name                         = var.app_name
  container_app_environment_id = var.ca_environment
  resource_group_name          = var.resource_group_name
  revision_mode                = "Single"

  ingress {
      external_enabled = true
      target_port = var.port
      traffic_weight {
        percentage = 100
        latest_revision = true
      }
  }

  secret {
    name  = "container-registry-password"
    value = var.registry_credentials.registry_key
  }

  registry {
    server   = var.registry_credentials.registry_server_url
    username = var.registry_credentials.registry_username
    password_secret_name = "container-registry-password"
  }

  template {
      container {
        name   = "app-container"
        image  = "${var.registry_credentials.registry_server_url}/${var.image_name}:latest"
        cpu    = 1
        memory = "2Gi"

      dynamic "env" {
        for_each = var.configs
        content {
          name  = env.value.name
          value = env.value.value
        }
      }
      liveness_probe {
        transport               = "HTTP"
        path                    = var.liveness_path
        port                    = var.port
        initial_delay           = 30
        interval_seconds        = 30
        timeout                 = 15
        failure_count_threshold = 3
      }
    }
    min_replicas = 1
    max_replicas = 3
    
  }
}

How can I get this issue resolved?

Improve this question
6
  • 1
    Hi Kamal Rathnayake, Share the Terraform code, what have you tried? Commented Apr 29, 2024 at 8:26
  • Hi @VenkatV, Edited the question with the code. Commented Apr 29, 2024 at 9:05
  • 1
    I tried your code, and it seems to be working fine. Here is my result. If you're still encountering issues, you can create the container app using user identity instead of ACR username and password." Commented Apr 29, 2024 at 9:59
  • @VenkatV, Thanks!. Let me give it a try. The weird thing is this is something that has been working fine. Do you have any theory on why it suddenly stopped working? :D Commented Apr 29, 2024 at 10:19
  • If the container app was already created earlier with a secret, and you are trying to run the code again, the code will attempt to remove and recreate a secret with the same value. However, this process is failing due to a limitation. Alternatively, you can also create using user identity. Commented Apr 29, 2024 at 11:32

1 Answer 1

Reset to default
2

When attempting to deploy an Azure Container App using Terraform, I encounter the error message: Cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service.

The above error usually occurs due to the removal of an existing secret or adding AD authentication to container app.

Alternatively, you can also create the container app deployment using the user identity method.

Here is the updated terraform code with user identity method.

Note: Please ensure that you have role assignment access to assign the acrpull role to the user-assigned identity.

    provider "azurerm" {
      features {}
    }
    data "azurerm_resource_group" "example" {
      name = "RG-Name"
    }
    
    data "azurerm_container_registry" "acr" {
      name                = "arkoacr"
      resource_group_name = "RG-Name"
    }
    
    resource "azurerm_user_assigned_identity" "containerapp" {
      location            = data.azurerm_resource_group.example.location
      name                = "containerappmi"
      resource_group_name = data.azurerm_resource_group.example.name
    }
     
    resource "azurerm_role_assignment" "containerapp" {
      scope                = data.azurerm_container_registry.acr.id
      role_definition_name = "acrpull"
      principal_id         = azurerm_user_assigned_identity.containerapp.principal_id
      depends_on = [
        azurerm_user_assigned_identity.containerapp
      ]
    }

    resource "azurerm_container_app_environment" "example" {
      name                       = "container-Environment1"
      location                   = data.azurerm_resource_group.example.location
      resource_group_name        = data.azurerm_resource_group.example.name
    }
    
    resource "azurerm_container_app" "container_app" {
      name                         = "demo-container"
      container_app_environment_id = azurerm_container_app_environment.example.id
      resource_group_name          = data.azurerm_resource_group.example.name
      revision_mode                = "Single"
      ingress {
          external_enabled = true
          target_port = 5000
          traffic_weight {
            percentage = 100
            latest_revision = true
          }
      }
     identity {
        type         = "UserAssigned"
        identity_ids = [azurerm_user_assigned_identity.containerapp.id]
      }
      registry {
        server   = data.azurerm_container_registry.acr.login_server
        identity = azurerm_user_assigned_identity.containerapp.id
      }
    
      template {
          container {
            name   = "app-container"
            image  = "${data.azurerm_container_registry.acr.login_server}/sample/hello-world:v1"
            cpu    = 1
            memory = "2Gi"
          liveness_probe {
            transport               = "HTTP"
            path                    = ""
            port                    = 5000
            initial_delay           = 30
            interval_seconds        = 30
            timeout                 = 15
            failure_count_threshold = 3
          }
        }
        min_replicas = 1
        max_replicas = 3
        
      }
    }

Terraform apply:

enter image description here

After running the terraform code, the container app has been created successfully with existing registry image.

enter image description here

Reference: Cannot remove secrets from Container Apps at this time due to a limitation in the Container Apps Service

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.